Replace only if commas exist

treverce · ‎04-21-2020

I have a dashboard (form) that I'm trying to allow a text field to accept single values or comma separated values that will be replaced by "* OR" right now when I first start up the dashboard and enter a single value, it just stays at "Search is waiting for input.." if I enter comma separated values it will run the search. I tried rapping the eval in a if statement to check for commas, but that didn't seem to do anything.

Here is what I currently have:

<input type="text" token="clientTransactionId" searchWhenChanged="true" id="webOrder">
        <label>Transaction Id (for multiple use csv's):</label>
        <change>
          <eval token="clientTransactionId_formatted">if(like($clientTransactionId$, "%,%"),replace($clientTransactionId$,",","* OR"),$clientTransactionId$)</eval>
        </change>
      </input>

And here is what I tried before:

<eval token="clientTransactionId_formatted">replace($clientTransactionId$,",","* OR")</eval>

How can I set this up to run? I need it to eval before search, there are too many transactions to filter after search has ran.

Thanks!

manjunathmeti · ‎04-21-2020

Your code looks good and below statement is enough, replace occurs only if "," present in input otherwise clientTransactionId_formatted set to clientTransactionId. Can you post xml part of where token clientTransactionId_formatted is used.

<eval token="clientTransactionId_formatted">replace($clientTransactionId$,",","* OR")</eval>

treverce · ‎04-21-2020

This is what I have right now:

<search>
  <query>
    index=[redacted] (source="[redacted]*" OR source="[redacted]*") $clientTransactionId_formatted$* $actionType$ earliest=$date_range$ latest=now ...
  </query>
  <earliest>-7d@h</earliest>
  <latest>now</latest>
  <sampleRatio>1</sampleRatio>
</search>

(Sorry I had to redact things for company security/privacy)

treverce · ‎04-21-2020

The more I play with it the more it seems this only happens if its a SINGLE transaction on the first query after I load the page, if I start with csv's then it works first start, just not when its the first query of a single transaction.

treverce · ‎04-21-2020

I think I see what is causing the issue, I have a second input (multi select) and if its "populating" when I enter into the first one, it doesn't trigger the eval. Not sure why those would be dependent one one another. I have a few static options defined, such as an "All" which is a * value as default.

If I wait until after "populating" is completed, it works.

<input type="multiselect" token="actionType" searchWhenChanged="true" id="action">
  <label>Action Type:</label>
  <choice value="*">All</choice>
  <choice value="">------------------------------------------</choice>
  <valuePrefix>"actionType:
  </valuePrefix>
  <delimiter>
    OR
  </delimiter>
  <fieldForLabel>ACTION_TYPE</fieldForLabel>
  <fieldForValue>ACTION_TYPE</fieldForValue>
  <search>
    <query>[REDACTED]</query>
    <earliest>-5m</earliest>
    <latest>now</latest>
  </search>
  <valueSuffix>"</valueSuffix>
  <default>*</default>
</input>

manjunathmeti · ‎04-21-2020

Is searchWhenChanged="true" set for other token inputs? Are you using Submit button? I don't see any issue with this text input. You can use below xml, it gives output for single value also.

<form>
  <fieldset submitButton="false">
    <input type="text" token="clientTransactionId" searchWhenChanged="true" id="webOrder">
      <label>Transaction Id (for multiple use csv's):</label>
      <change>
        <eval token="clientTransactionId_formatted">replace($clientTransactionId$,",","* OR ")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
          <h3>Token:</h3>
          <div class="custom-result-value">$clientTransactionId_formatted$</div>
      </html>
  </row>
</form>

Replace only if commas exist

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?